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Resume 

In this proposal for the Journees Codes et Steganographie 2012, we 
define a new rigorous approach for steganalysis based on the complexity 
theory. It is similar to the definitions of security that can be found for 
hash functions, PRNG, and so on. We propose here a notion of secure 
hiding and we give a first secure hiding scheme. 



1 Introduction 

Robustness and security are two major concerns in information hiding. These 
two concerns have been defined in [6| as follows. "Robust watermarking is a 
mechanism to create a communication channel that is multiplexed into original 
content [...]. It is required that, firstly, the perceptual degradation of the marked 
content [...] is minimal and, secondly, that the capacity of the watermark channel 
degrades as a smooth function of the degradation of the marked content. [...]. 
Watermarking security refers to the inability by unauthorized users to have 
access to the raw watermarking channel. [...] to remove, detect and estimate, 
write or modify the raw watermarking bits." 

In the framework of watermarking and steganography, security has seen seve- 
ral important developments since the last decade pQ HI [7] . The first fundamental 
work in security was made by Cachin in the context of steganography [2]. Ca- 
chin interprets the attempts of an attacker to distinguish between an innocent 
image and a stego-content as a hypothesis testing problem. In this document, 
the basic properties of a stegosystem are defined using the notions of entropy, 
mutual information, and relative entropy. Mittelholzer, inspired by the work of 
Cachin, proposed the first theoretical framework for analyzing the security of a 
watermarking scheme [8]. 

These efforts to bring a theoretical framework for security in steganogra- 
phy and watermarking have been followed up by Kalker, who tries to clarify 
the concepts (robustness vs. security) , and the classifications of watermarking 
attacks [5]. This work has been deepened by Furon et ai, who have translated 
KerckhofFs' principle (Alice and Bob shall only rely on some previously shared 
secret for privacy), from cryptography to data hiding [5]. They used Diffie and 
Hellman methodology, and Shannon's cryptographic framework |10] . to classify 
the watermarking attacks into categories, according to the type of information 
Eve has access to |3J[S], namely : Watermarked Only Attack (WO A), Known 
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Message Attack (KMA), Known Original Attack (KOA), and Constant-Message 
Attack (CMA). Levels of security have been recently defined in these setups. The 
highest level of security in WOA is called stego-security [5], recalled below. 

In the prisoner problem of Simmons Alice and Bob are in jail, and 
they want to, possibly, devise an escape plan by exchanging hidden messages 
in innocent-looking cover contents. These messages are to be conveyed to one 
another by a common warden. Eve, who over-drops all contents and can choose 
to interrupt the communication if they appear to be stego-contents. The stego- 
security, defined in this framework, is the highest security level in WOA setup [3] . 
To recall it, we need the following notations : 

- K is the set of embedding keys, 

- p{X) is the probabilistic model of A^o initial host contents, 

- p{Y\Ki) is the probabilistic model of Nq watermarked contents. 
Furthermore, it is supposed in this context that each host content has been 

watermarked with the same secret key Ki and the same embedding function e. 
It is now possible to define the notion of stego-security : 

Definition 1 (Stego- Security) The embedding function e is stego-secure if 
and only if : 

VXi eK,p{Y\Ki) =p{X). 

2 Toward a Cryptographically Secure Hiding 

2.1 Introduction 

Almost all branches in cryptology have a complexity approach for security. 
For instance, in a cryptographic context, a pseudorandom number generator 
(PRNG) is a deterministic algorithm G transforming strings into strings and 
such that, for any seed k of length k, G{k) (the output of G on the input A;) has 
size icik) with icik) > k. The notion of secure PRNGs can now be defined as 
follows. 

Definition 2 A cryptographic PRNG G is secure if for any probabilistic poly- 
nomial time algorithm Z?, for any positive polynomial p, and for all sufficiently 
large k's, 

\Pi-[D{G{Uk)) = 1] - Pr[D{U,^^k)) = 1]| < 

where LV is the uniform distribution over {0, 1}'' and the probabilities are taken 
over Un, [^^^(jv) well as over the internal coin tosses of D. 

Intuitively, it means that no polynomial-time algorithm can make a distinc- 
tion, with a non-negligible probability, between a truly random generator and 

g. 

Inspired by these kind of definitions, we propose what follows. 

2.2 Definition of a stegosystem 

Definition 3 (Stegosystem) Let 21 an alphabet and S,M.,IC three sets of 
words on 21 called respectively the sets of supports, messages, and keys. 
A stegosystem on {S,M.,IC) is a tuple {I,£,inv) such that : 
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- I : S X M y. K. — 5- S, (s, m, k) i — 5- I(s, m, k) = s', 

- £ : S X K. — > M, (s, fc) i — > f (s, k) = m'. 

- inw : /C — /C, s.t. Vfc S /C, V(s, m) ^ S x A4, £{T{s, m, k),inv{k)) = m. 

- I(s, m, fc) and £{c, k') can be computed in polynomial time. 

I is called the insertion function, £ the extraction function, s the host content, 
m the hidden message, k the embedding key, k' = inv{k) the extraction key, 
and s' is the stego-content. If Vfc G /C, fc = inv{k), the stegosystcm is symmetric, 
otherwise it is asymmetric. 

Definition 4 (Bounded stegosystem) Let / : IN ^> IN. A stegosystem (T, £, inv) 
of (5,X,/C) is /-bounded if dom(Z) C (J 21" x Sl-'^f"' x /C. 

T161N 

Definition 5 (Probability set) A probability set X — {(S'„,P„),n G M} on 
21 is an infinite family of couples of finite sets Sn ^ 21* together with their 
probability distributions P„, such that for every n G M, there exists r G IN such 
that each element of 5„ is in W . The integer r is denoted i{Sn)- Moreover it is 
required that i{Sn) is bounded by a polynomial in n. 

2.3 Cryptographically secure hiding 

Definition 6 (Secure hiding) Let / : IN — > M, {I,£,inv) a stegosystem 
of {S,M,IC), and X = {{Sn,Pn),n G IN} a probability set. J is a /—secure 
hiding for X if it is /—bounded and if for every positive polynome p, for any 
probabilistic polynomial-time algorithm P, for any fc G /C, for all sufficiently 
large i's, for all m G 2l'^(^('5'))^ 

\Pr{V{IiS.,m,k)) = l)-Pr{ViS,) = l)\ < -1- + J- (1) 

p(i) p(fc) 

where the probabilities arc taken over the distribution X as well as over the coin 
tosses of V and where e(fc) — > when the size of k grows up. 

Intuitively, it means that there is no polynomial-time probabilistic algorithm 
being able to distinguish the host contents from the stego-contents 

Proposition 1 // /i < /2 one can compute from any f2 — secure hiding stego- 
system for X a f2~ secure hiding stegosystem for X . 

Example 1 Assume that 21 = {0, 1}, and that 

- there exists a G N such that for every n, \Sn\ = 2^^^"^"" and, 

- for each n, there exists s„ G {0,1}* such that Sn = {sn • w \ w G 
{0, 1}^('S'")-"^ where • is the concatenation product and, 

- for each n, each s G Sn, Pn{s) = 1/|S'„|. 

Let G be a cryptographic PRNG. We consider that X{s, m, fc) is defined for 
s G 5„ and TO G {0, 1}^('S'")-", for k such that the length of G(fc) is £(S'„) - a, 
by I{s,m,k) = s„ • (to © G{k)). Let /o be the function mapping n into n/a. 
The symetric stegosystem defined by I and where £{snW,k) = w ® G{k) is a 
/o— secure hiding stegosystem for X . 
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3 Conclusion 



We thus intend to propose to these Journces Codes et Steganographie 2012 
this new rigorous approach for steganalysis based on the complexity theory. 
It is inspired by the definitions of security that can usuaUy be found in other 
branches of cryptology. We have proposed a notion of secure hiding and presen- 
ted a first secure hiding scheme. Our intention is to prove this result during the 
presentation, and to give further developments, by adapting such a notion to 
define using complexity what is a robust watermarking, and what is a message 
that cannot be extracted. 
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